feat(pqc): Update mlkem/mldsa to draft-ietf-openpgp-pqc-09

Author: lubux

openpgp/clearsign/clearsign.go

@@ -527,7 +527,7 @@ func nameOfHash(h crypto.Hash) string {
 
 func acceptableHashesToWrite(singingKey *packet.PublicKey) []crypto.Hash {
 	switch singingKey.PubKeyAlgo {
-	case packet.PubKeyAlgoEd448:
+	case packet.PubKeyAlgoEd448, packet.PubKeyAlgoMldsa87Ed448:
 		return []crypto.Hash{
 			crypto.SHA512,
 			crypto.SHA3_512,

openpgp/key_generation.go

@@ -392,8 +392,8 @@ func newDecrypter(config *packet.Config) (decrypter interface{}, err error) {
 		}
 		fallthrough // When passing ML-DSA + EdDSA or ECDSA, we generate a ML-KEM + ECDH subkey
 	case packet.PubKeyAlgoMlkem768X25519, packet.PubKeyAlgoMlkem1024X448:
-		if !config.V6() {
-			return nil, goerrors.New("openpgp: cannot create a non-v6 mlkem_x25519 key")
+		if !config.V6() && pubKeyAlgo == packet.PubKeyAlgoMlkem1024X448 {
+			return nil, goerrors.New("openpgp: cannot create a non-v6 mlkem1024_x448 key")
 		}
 
 		c, err := packet.GetECDHCurveFromAlgID(pubKeyAlgo)

openpgp/mldsa_eddsa/mldsa_eddsa.go

@@ -1,5 +1,5 @@
 // Package mldsa_eddsa implements hybrid ML-DSA + EdDSA encryption, suitable for OpenPGP, experimental.
-// It follows the specs https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-composite-signature-schemes
+// It follows the specs https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-composite-signature-schemes
 package mldsa_eddsa
 
 import (
@@ -9,6 +9,8 @@ import (
 	"github.com/ProtonMail/go-crypto/openpgp/errors"
 	"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
 	"github.com/cloudflare/circl/sign"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa65"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 )
 
 const (
@@ -31,7 +33,7 @@ type PrivateKey struct {
 }
 
 // GenerateKey generates a ML-DSA + EdDSA composite key as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-generation-procedure-2
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-generation-procedure-2
 func GenerateKey(rand io.Reader, algId uint8, c ecc.EdDSACurve, d sign.Scheme) (priv *PrivateKey, err error) {
 	priv = new(PrivateKey)
 
@@ -70,23 +72,35 @@ func (priv *PrivateKey) DeriveMlDsaKeys(seed []byte, overridePublicKey bool) (er
 }
 
 // Sign generates a ML-DSA + EdDSA composite signature as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-signature-generation
-func Sign(priv *PrivateKey, message []byte) (dSig, ecSig []byte, err error) {
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-signature-generation
+func Sign(priv *PrivateKey, message []byte) (mldsaSig, ecSig []byte, err error) {
 	ecSig, err = priv.PublicKey.Curve.Sign(priv.PublicKey.PublicPoint, priv.SecretEc, message)
 	if err != nil {
 		return nil, nil, err
 	}
 
-	dSig = priv.PublicKey.Mldsa.Sign(priv.SecretMldsa, message, nil)
-	if dSig == nil {
-		return nil, nil, goerrors.New("mldsa_eddsa: unable to sign with ML-DSA")
+	// The default signer interface does not use the hedged variant.
+	// Thus, we need to use the low level api
+	switch key := priv.SecretMldsa.(type) {
+	case *mldsa65.PrivateKey:
+		mldsaSig = make([]byte, mldsa65.SignatureSize)
+		err = mldsa65.SignTo(key, message, nil, true, mldsaSig)
+	case *mldsa87.PrivateKey:
+		mldsaSig = make([]byte, mldsa87.SignatureSize)
+		err = mldsa87.SignTo(key, message, nil, true, mldsaSig)
+	default:
+		err = goerrors.New("mldsa_eddsa: unsupported ML-DSA private key type")
 	}
 
-	return dSig, ecSig, nil
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return mldsaSig, ecSig, nil
 }
 
 // Verify verifies a ML-DSA + EdDSA composite signature as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-signature-verification
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-signature-verification
 func Verify(pub *PublicKey, message, dSig, ecSig []byte) bool {
 	return pub.Curve.Verify(pub.PublicPoint, message, ecSig) && pub.Mldsa.Verify(pub.PublicMldsa, message, dSig, nil)
 }

openpgp/mlkem_ecdh/mlkem_ecdh.go

@@ -1,5 +1,5 @@
 // Package mlkem_ecdh implements hybrid ML-KEM + ECDH encryption, suitable for OpenPGP, experimental.
-// It follows the spec https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-composite-kem-schemes
+// It follows the spec https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-composite-kem-schemes
 package mlkem_ecdh
 
 import (
@@ -19,7 +19,7 @@ import (
 const (
 	maxSessionKeyLength = 64
 	MlKemSeedLen        = 64
-	kdfContext          = "OpenPGPCompositeKDFv1"
+	domSep              = "OpenPGPCompositeKDFv1"
 )
 
 type PublicKey struct {
@@ -38,7 +38,7 @@ type PrivateKey struct {
 }
 
 // GenerateKey implements ML-KEM + ECC key generation as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-generation-procedure
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-generation-procedure
 func GenerateKey(rand io.Reader, algId uint8, c ecc.ECDHCurve, k kem.Scheme) (priv *PrivateKey, err error) {
 	priv = new(PrivateKey)
 
@@ -77,7 +77,7 @@ func (priv *PrivateKey) DeriveMlKemKeys(seed []byte, overridePublicKey bool) (er
 }
 
 // Encrypt implements ML-KEM + ECC encryption as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-encryption-procedure
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-encryption-procedure
 func Encrypt(rand io.Reader, pub *PublicKey, msg []byte) (kEphemeral, ecEphemeral, ciphertext []byte, err error) {
 	if len(msg) > maxSessionKeyLength {
 		return nil, nil, nil, goerrors.New("mlkem_ecdh: session key too long")
@@ -104,7 +104,7 @@ func Encrypt(rand io.Reader, pub *PublicKey, msg []byte) (kEphemeral, ecEphemera
 		return nil, nil, nil, err
 	}
 
-	keyEncryptionKey, err := buildKey(pub, ecSS, ecEphemeral, pub.PublicPoint, kSS, kEphemeral, pub.PublicMlkem)
+	keyEncryptionKey, err := buildKey(pub, ecSS, ecEphemeral, pub.PublicPoint, kSS)
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -117,7 +117,7 @@ func Encrypt(rand io.Reader, pub *PublicKey, msg []byte) (kEphemeral, ecEphemera
 }
 
 // Decrypt implements ML-KEM + ECC decryption as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-decryption-procedure
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-decryption-procedure
 func Decrypt(priv *PrivateKey, kEphemeral, ecEphemeral, ciphertext []byte) (msg []byte, err error) {
 	// EC shared secret derivation
 	ecSS, err := priv.PublicKey.Curve.Decaps(ecEphemeral, priv.SecretEc)
@@ -131,7 +131,7 @@ func Decrypt(priv *PrivateKey, kEphemeral, ecEphemeral, ciphertext []byte) (msg
 		return nil, err
 	}
 
-	kek, err := buildKey(&priv.PublicKey, ecSS, ecEphemeral, priv.PublicPoint, kSS, kEphemeral, priv.PublicMlkem)
+	kek, err := buildKey(&priv.PublicKey, ecSS, ecEphemeral, priv.PublicPoint, kSS)
 	if err != nil {
 		return nil, err
 	}
@@ -140,35 +140,27 @@ func Decrypt(priv *PrivateKey, kEphemeral, ecEphemeral, ciphertext []byte) (msg
 }
 
 // buildKey implements the composite KDF from
-// https://github.com/openpgp-pqc/draft-openpgp-pqc/pull/161
-func buildKey(pub *PublicKey, eccSecretPoint, eccEphemeral, eccPublicKey, mlkemKeyShare, mlkemEphemeral []byte, mlkemPublicKey kem.PublicKey) ([]byte, error) {
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-combiner
+func buildKey(pub *PublicKey, eccSecretPoint, eccCipherText, eccPublicKey, mlkemKeyShare []byte) ([]byte, error) {
 	/// Set the output `ecdhKeyShare` to `eccSecretPoint`
 	eccKeyShare := eccSecretPoint
 
-	serializedMlkemPublicKey, err := mlkemPublicKey.MarshalBinary()
-	if err != nil {
-		return nil, err
-	}
-
 	//   mlkemKeyShare   - the ML-KEM key share encoded as an octet string
-	//   mlkemEphemeral  - the ML-KEM ciphertext encoded as an octet string
-	//   mlkemPublicKey  - The ML-KEM public key of the recipient as an octet string
 	//   algId           - the OpenPGP algorithm ID of the public-key encryption algorithm
 	//   eccKeyShare     - the ECDH key share encoded as an octet string
-	//   eccEphemeral    - the ECDH ciphertext encoded as an octet string
+	//   eccCipherText  - the ECDH ciphertext encoded as an octet string
 	//   eccPublicKey    - The ECDH public key of the recipient as an octet string
 
-	// SHA3-256(mlkemKeyShare || eccKeyShare || eccEphemeral || eccPublicKey ||
-	//          mlkemEphemeral || mlkemPublicKey || algId || "OpenPGPCompositeKDFv1")
+	// SHA3-256(mlkemKeyShare || eccKeyShare || eccCipherText || eccPublicKey ||
+	//          algId || "OpenPGPCompositeKDFv1" || len("OpenPGPCompositeKDFv1"))
 	h := sha3.New256()
 	_, _ = h.Write(mlkemKeyShare)
 	_, _ = h.Write(eccKeyShare)
-	_, _ = h.Write(eccEphemeral)
+	_, _ = h.Write(eccCipherText)
 	_, _ = h.Write(eccPublicKey)
-	_, _ = h.Write(mlkemEphemeral)
-	_, _ = h.Write(serializedMlkemPublicKey)
 	_, _ = h.Write([]byte{pub.AlgId})
-	_, _ = h.Write([]byte(kdfContext))
+	_, _ = h.Write([]byte(domSep))
+	_, _ = h.Write([]byte{byte(len(domSep))})
 	return h.Sum(nil), nil
 }
 

openpgp/packet/packet.go

@@ -8,7 +8,6 @@ package packet // import "github.com/ProtonMail/go-crypto/openpgp/packet"
 
 import (
 	"bytes"
-	"crypto"
 	"crypto/cipher"
 	"crypto/rsa"
 	"io"
@@ -514,13 +513,13 @@ const (
 	PubKeyAlgoRSAEncryptOnly PublicKeyAlgorithm = 2
 	PubKeyAlgoRSASignOnly    PublicKeyAlgorithm = 3
 
-	// Experimental PQC KEM algorithms
-	PubKeyAlgoMlkem768X25519 = 105
-	PubKeyAlgoMlkem1024X448  = 106
+	// PQC DSA algorithms
+	PubKeyAlgoMldsa65Ed25519 = 30
+	PubKeyAlgoMldsa87Ed448   = 31
 
-	// Experimental PQC DSA algorithms
-	PubKeyAlgoMldsa65Ed25519 = 107
-	PubKeyAlgoMldsa87Ed448   = 108
+	// PQC KEM algorithms
+	PubKeyAlgoMlkem768X25519 = 35
+	PubKeyAlgoMlkem1024X448  = 36
 )
 
 // CanEncrypt returns true if it's possible to encrypt a message to a public
@@ -545,18 +544,6 @@ func (pka PublicKeyAlgorithm) CanSign() bool {
 	return false
 }
 
-// HandleSpecificHash returns the mandated hash if the algorithm requires it;
-// otherwise, it returns the selectedHash.
-func (pka PublicKeyAlgorithm) HandleSpecificHash(selectedHash crypto.Hash) crypto.Hash {
-	switch pka {
-	case PubKeyAlgoMldsa65Ed25519:
-		return crypto.SHA3_256
-	case PubKeyAlgoMldsa87Ed448:
-		return crypto.SHA3_512
-	}
-	return selectedHash
-}
-
 // CipherFunction represents the different block ciphers specified for OpenPGP. See
 // http://www.iana.org/assignments/pgp-parameters/pgp-parameters.xhtml#pgp-parameters-13
 type CipherFunction algorithm.CipherFunction

openpgp/packet/private_key.go

@@ -561,7 +561,7 @@ func serializeHMACPrivateKey(w io.Writer, priv *symmetric.HMACPrivateKey) (err e
 }
 
 // serializeMlkemPrivateKey serializes a ML-KEM + ECC private key according to
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-material-packets
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-material-packets
 func serializeMlkemPrivateKey(w io.Writer, priv *mlkem_ecdh.PrivateKey) (err error) {
 	if _, err = w.Write(encoding.NewOctetArray(priv.SecretEc).EncodedBytes()); err != nil {
 		return err
@@ -571,7 +571,7 @@ func serializeMlkemPrivateKey(w io.Writer, priv *mlkem_ecdh.PrivateKey) (err err
 }
 
 // serializeMldsaEddsaPrivateKey serializes a ML-DSA + EdDSA private key according to
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-material-packets-2
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-material-packets-2
 func serializeMldsaEddsaPrivateKey(w io.Writer, priv *mldsa_eddsa.PrivateKey) error {
 	if _, err := w.Write(encoding.NewOctetArray(priv.SecretEc).EncodedBytes()); err != nil {
 		return err
@@ -923,8 +923,14 @@ func (pk *PrivateKey) parsePrivateKey(data []byte) (err error) {
 	case ExperimentalPubKeyAlgoHMAC:
 		return pk.parseHMACPrivateKey(data)
 	case PubKeyAlgoMlkem768X25519:
+		if !(pk.Version == 4 || pk.Version >= 6) {
+			return goerrors.New("openpgp: ML-KEM-768+X25519 may only be used with v4 or v6+")
+		}
 		return pk.parseMlkemEcdhPrivateKey(data, 32, mlkem_ecdh.MlKemSeedLen)
 	case PubKeyAlgoMlkem1024X448:
+		if pk.Version < 6 {
+			return goerrors.New("openpgp: ML-KEM-1024+X448 may only be used with v6+")
+		}
 		return pk.parseMlkemEcdhPrivateKey(data, 56, mlkem_ecdh.MlKemSeedLen)
 	case PubKeyAlgoMldsa65Ed25519:
 		return pk.parseMldsaEddsaPrivateKey(data, 32, mldsa_eddsa.MlDsaSeedLen)
@@ -1254,7 +1260,7 @@ func validateCommonSymmetric(seed [32]byte, bindingHash [32]byte) error {
 }
 
 // parseMldsaEddsaPrivateKey parses a ML-DSA + EdDSA private key as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-material-packets-2
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-material-packets-2
 func (pk *PrivateKey) parseMldsaEddsaPrivateKey(data []byte, ecLen, seedLen int) (err error) {
 	if pk.Version != 6 {
 		return goerrors.New("openpgp: cannot parse non-v6 ML-DSA + EdDSA key")
@@ -1287,11 +1293,8 @@ func (pk *PrivateKey) parseMldsaEddsaPrivateKey(data []byte, ecLen, seedLen int)
 }
 
 // parseMlkemEcdhPrivateKey parses a ML-KEM + ECC private key as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-material-packets
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-material-packets
 func (pk *PrivateKey) parseMlkemEcdhPrivateKey(data []byte, ecLen, seedLen int) (err error) {
-	if pk.Version != 6 {
-		return goerrors.New("openpgp: cannot parse non-v6 ML-KEM + ECDH key")
-	}
 	pub := pk.PublicKey.PublicKey.(*mlkem_ecdh.PublicKey)
 	priv := new(mlkem_ecdh.PrivateKey)
 	priv.PublicKey = *pub

openpgp/packet/public_key.go

@@ -6,7 +6,6 @@ package packet
 
 import (
 	"bytes"
-	"crypto"
 	"crypto/dsa"
 	"crypto/rsa"
 	"crypto/sha1"
@@ -291,7 +290,7 @@ func NewMlkemEcdhPublicKey(creationTime time.Time, pub *mlkem_ecdh.PublicKey) *P
 	}
 
 	pk := &PublicKey{
-		Version:      6,
+		Version:      4,
 		CreationTime: creationTime,
 		PubKeyAlgo:   PublicKeyAlgorithm(pub.AlgId),
 		PublicKey:    pub,
@@ -615,7 +614,7 @@ func (pk *PublicKey) parseECDH(r io.Reader) (err error) {
 }
 
 // parseMlkemEcdh parses a ML-KEM + ECC public key as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-material-packets
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-material-packets
 func (pk *PublicKey) parseMlkemEcdh(r io.Reader, ecLen, kLen int) (err error) {
 	pk.p = encoding.NewEmptyOctetArray(ecLen)
 	if _, err = pk.p.ReadFrom(r); err != nil {
@@ -800,7 +799,7 @@ func readBindingHash(r io.Reader) (bindingHash [32]byte, err error) {
 }
 
 // parseMldsaEddsa parses a ML-DSA + EdDSA public key as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-key-material-packets-2
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-key-material-packets-2
 func (pk *PublicKey) parseMldsaEddsa(r io.Reader, ecLen, dLen int) (err error) {
 	pk.p = encoding.NewEmptyOctetArray(ecLen)
 	if _, err = pk.p.ReadFrom(r); err != nil {
@@ -1140,12 +1139,6 @@ func (pk *PublicKey) VerifySignature(signed hash.Hash, sig *Signature) (err erro
 		}
 		return nil
 	case PubKeyAlgoMldsa65Ed25519, PubKeyAlgoMldsa87Ed448:
-		if pk.PubKeyAlgo == PubKeyAlgoMldsa65Ed25519 && sig.Hash != crypto.SHA3_256 {
-			return errors.SignatureError(fmt.Sprintf("verification failure: Mldsa65Ed25519 requires sha3-256 message hash: has %s", sig.Hash))
-		}
-		if pk.PubKeyAlgo == PubKeyAlgoMldsa87Ed448 && sig.Hash != crypto.SHA3_512 {
-			return errors.SignatureError(fmt.Sprintf("verification failure: Mldsa87Ed448 requires sha3-512 message hash: has %s", sig.Hash))
-		}
 		mldsaEddsaPublicKey := pk.PublicKey.(*mldsa_eddsa.PublicKey)
 		if !mldsa_eddsa.Verify(mldsaEddsaPublicKey, hashBytes, sig.MldsaSig.Bytes(), sig.EdDSASigR.Bytes()) {
 			return errors.SignatureError("MldsaEddsa verification failure")

openpgp/packet/signature.go

@@ -10,7 +10,6 @@ import (
 	"crypto/dsa"
 	"encoding/asn1"
 	"encoding/binary"
-	"fmt"
 	"hash"
 	"io"
 	"math/big"
@@ -365,7 +364,7 @@ func (sig *Signature) parse(r io.Reader) (err error) {
 }
 
 // parseMldsaEddsaSignature parses an ML-DSA + EdDSA signature as specified in
-// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-05.html#name-signature-packet-tag-2
+// https://www.ietf.org/archive/id/draft-ietf-openpgp-pqc-09.html#name-signature-packet-tag-2
 func (sig *Signature) parseMldsaEddsaSignature(r io.Reader, ecLen, dLen int) (err error) {
 	sig.EdDSASigR = encoding.NewEmptyOctetArray(ecLen)
 	if _, err = sig.EdDSASigR.ReadFrom(r); err != nil {
@@ -1043,12 +1042,6 @@ func (sig *Signature) Sign(h hash.Hash, priv *PrivateKey, config *Config) (err e
 		if sig.Version != 6 {
 			return errors.StructuralError("cannot use MldsaEdDsa on a non-v6 signature")
 		}
-		if priv.PubKeyAlgo == PubKeyAlgoMldsa65Ed25519 && sig.Hash != crypto.SHA3_256 {
-			return errors.StructuralError(fmt.Sprintf("Mldsa65Ed25519 requires sha3-256 message hash: got %s", sig.Hash))
-		}
-		if priv.PubKeyAlgo == PubKeyAlgoMldsa87Ed448 && sig.Hash != crypto.SHA3_512 {
-			return errors.StructuralError(fmt.Sprintf("Mldsa87Ed448 requires sha3-512 message hash: got %s", sig.Hash))
-		}
 		sk := priv.PrivateKey.(*mldsa_eddsa.PrivateKey)
 		dSig, ecSig, err := mldsa_eddsa.Sign(sk, digest)